Offshore Outsourcing of Administrative Functions by State Medicaid Agencies
WHY WE DID THIS STUDY
Outsourcing occurs when State Medicaid agencies enter into agreements with contractors to perform administrative functions. Outsourcing can occur inside the United States (domestic outsourcing) or outside (offshore outsourcing) and can be direct (when a Medicaid agency contracts with an offshore contractor) or indirect (when a Medicaid agency's contractor subcontracts to an offshore contractor). There are no Federal regulations that prohibit the offshore outsourcing of Medicaid administrative functions. However, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to have business associate agreements (BAAs) to protect personal health information (PHI).
HOW WE DID THIS STUDY
We conducted a survey of 56 Medicaid agencies, including those of the District of Columbia and the U.S. territories. We asked Medicaid agencies (1) whether they had any policies, Executive Orders, State laws, or contract requirements (collectively, "requirements") addressing the outsourcing of administrative functions offshore and (2) whether they directly or indirectly outsourced administrative functions offshore. For Medicaid agencies with outsourcing requirements, we asked whether these requirements address PHI and whether the Medicaid agencies monitor contractors' compliance with the requirements. We reviewed the Medicaid agencies' requirements and BAAs. For the Medicaid agencies that outsource offshore, we asked what types of administrative functions are outsourced offshore.
WHAT WE FOUND
Only 15 of 56 Medicaid agencies have some form of State-specific requirement that addresses the outsourcing of administrative functions offshore. The remaining 41 Medicaid agencies reported no offshore outsourcing requirements and do not outsource administrative functions offshore. Among the 15 Medicaid agencies with requirements, 4 Medicaid agencies prohibit the outsourcing of administrative functions offshore and 11 Medicaid agencies allow it. The 11 Medicaid agencies that allow offshore outsourcing of administrative functions each maintain BAAs with contractors, which is a requirement under HIPAA. Among other things, BAAs are intended to safeguard PHI. These 11 Medicaid agencies do not have additional State requirements that specifically address safeguarding PHI. Seven of the eleven Medicaid agencies reported outsourcing offshore through subcontractors, but none reported sending PHI offshore. If Medicaid agencies engage in offshore outsourcing of administrative functions that involve PHI, it could present potential vulnerabilities. For example, Medicaid agencies or domestic contractors that send PHI offshore may have limited means of enforcing provisions of BAAs that are intended to safeguard PHI. Although some countries may have privacy protections greater than those in the United States, other countries may have limited or no privacy protections.
This report does not contain recommendations.